'DRM-free' iTunes songs raise concerns

SAN JOSE, California (AP) -- Apple Inc.'s recent rollout of songs without copy protection software at its iTunes Store has given consumers new flexibility, but questions have emerged over the company's inclusion of personal data in purchased music tracks.

Are the songs that are being billed as free of so-called digital rights management technology really "DRM-free" or are there still strings attached?

The Electronic Frontier Foundation, a consumer watchdog group, said the embedded user information in the purchased track raises privacy issues.

Apple declined to comment.

The trendsetting Cupertino-based company has always embedded user information -- a user name and e-mail -- into its copy-protected tracks. But until the market-leading iTunes Store began offering DRM-free music last week, no one raised much of a ruckus.

DRM technology puts a sort of software lock on digital songs or movies, dictating where and how the content can be played and distributed. With DRM-free content, some songs purchased from iTunes now work directly on portable players other than Apple's iPod, including Microsoft Corp.'s Zune.

Though piracy of digital music over the Internet remains unabated even with the growth of legitimate online retailers like iTunes, Apple's debut of DRM-free songs could tempt some of its users to share their purchased tracks with others online.

Technology blogs Ars Technica and The Unofficial Apple Weblog were among the first to reveal that personal data remained in the unrestricted iTunes tracks. Their reports last week prompted speculation that the data could be used to trace copies uploaded to online file-sharing networks back to the people who originally purchased the tracks, opening those users to music industry copyright lawsuits.

The Recording Industry Association of America, whose piracy lawsuits have ensnared organized outfits as well as individual grandmothers and youths, declined to comment. EMI Group PLC, the major record label behind Apple's inaugural batch of DRM-free songs, also declined to comment.

"DRM prevented us from playing the music we have purchased on all of our devices. We asked that this be removed and we got what we were looking for," said Erica Sadun, a prolific technology blogger on TUAW.com and author who conducted her own tests of Apple's embedded identification tags.

"But I'm on the fence in terms of the privacy issues," she said in an interview. "Consumers should always know what they're getting into."

The Electronic Frontier Foundation, which also analyzed the DRM-free song files on iTunes, said it did not want to jump to any conclusions on Apple's reasons for embedding the personal data.

Besides, users can remove their identifying data from the files simply by burning the tracks to a CD and then ripping the songs back to their computer in the MP3 format, said Fred Von Lohmann, an attorney with the San Francisco-based group.

Still, the group takes issue with the fact that the personal information stored in these type of song files is not encrypted. If someone were to lose their iPod or have their laptop stolen, for example, anyone using simple software tools could access the personal data in the songs, von Lohmann suggested.

"It just seems careless and unwise for somebody like Apple to start planting this kind of personal information without protection in the files," von Lohmann said. "It's not as bad as leaking your credit card number or your Social Security number, but it's still a pretty careless security leak."

Michael Gartenberg, an analyst at JupiterResearch, said he does not think Apple planned to use the personal data as a secretive tracking tool.

"I think it's more of a way of retaining a proof of purchase," he said, adding how the identifying tags on copy-protected tracks likely facilitated Apple's ability to approve user upgrades to previous song purchases.

"'DRM-free' means I'm not restricted from putting the songs on other devices anymore, but it doesn't give users a license for piracy," he said.

Ultimately, whether it's intentional or just an inadvertent deterrent for the illegal sharing of digital tunes, Gartenberg predicts other major online music retailers will similarly embed user tags once they, too, start to introduce DRM-free songs.

"I think everyone is going to have to do this as some way for tracking purchases," he said.

Sadun agreed.

"It's a brilliant compromise," she said, "between the forces of the music industry which have been too heavy handed and the forces of consumers who perhaps have pulled too far toward information freedom."

Online music retailer eMusic.com, which sells songs in the unrestricted MP3 format mostly from independent labels, says it keeps of a record of user purchases on its own computer servers but doesn't place any kind of user data in any of its tracks sold.

Apple should be more upfront about its purpose for the embedded information, said David Pakman, eMusic's chief executive. "You should tell customers what you're doing with it before they spend money with you," he said.

Top Poster Of Month

Not surprisingly, this is being misrepresented on several fronts. 1) putting your user ID on the file when you download it is NOT DRM. Is it sneaky? Maybe, but it also falls into the category of, if you're not doing anything wrong (i.e. distributing the content) why do you care? 2) I've seen several sources report that songs you bought from ITMS ALREADY had your user ID tagged on them, before they removed the DRM so this may be a case of anti-RIAA groups making something of nothing.

Top Poster Of Month

Maybe, but it also falls into the category of, if you're not doing anything wrong (i.e. distributing the content) why do you care?

Click to expand...

Suffice to say that I find this particular comment extremely disturbing and that I vehemently disagree with it.

Click to expand...

I actually disagree with this theory as well but normally people talk about it in the sense of being spied on. No one is spying here. No one is going to see your name or files unless you put it out on P2P or something.

Top Poster Of Month

Good point Chris. I guess the only relevant question then is, is this new or has Apple already been doing it with all ITMS music and people are just making a big deal now to take a shot at DRM-free music?

Again, if you're not doing anything illegal, why care? To say that I have grown calloused of DRM, DMCA, etc, etc is a gross understatement. I guess I may be unique in the fact that I used to be a passionate advocate of DRM-free and Fair Use, but now I really don't care.

I guess the only relevant question then is, is this new or has Apple already been doing it with all ITMS music and people are just making a big deal now to take a shot at DRM-free music?

Click to expand...

That I don't know, hopefully someone else does. Personally, I'd prefer if my personal information wasn't in ANY music file, DRM or not. I don't really use iTunes (initially for the DRM, but more because I still would rather have the CD than pay the same amount from iTunes.)

You buy a bunch of these new DRM free songs from iTunes which are all imbeded with your information (email address, etc.)
You put them all on your shiny new iPod.
Your iPod is stolen and the thief copies all the songs off, uploads them to his favorite P2P site.

Everyone who now downloads this music has YOUR information and all of these songs can be tracked back to you, the RIAA sues you for piracy and takes your first born son (which is their going rate, I think.)

You buy a bunch of these new DRM free songs from iTunes which are all imbeded with your information (email address, etc.)
You put them all on your shiny new iPod.
Your iPod is stolen and the thief copies all the songs off, uploads them to his favorite P2P site.

Everyone who now downloads this music has YOUR information and all of these songs can be tracked back to you, the RIAA sues you for piracy and takes your first born son (which is their going rate, I think.)

Click to expand...

Imagine this, I pull out the police report indicating the stolen property and I am clear and free. I also produce the part about the IP address being in Alaska while I'm in Texas. Under those circumstances I would be more than happy to go to court and kick their ass. Again, honost people doing honost things have very little to worry about.

You buy a bunch of these new DRM free songs from iTunes which are all imbeded with your information (email address, etc.)
You put them all on your shiny new iPod.
Your iPod is stolen and the thief copies all the songs off, uploads them to his favorite P2P site.

Everyone who now downloads this music has YOUR information and all of these songs can be tracked back to you, the RIAA sues you for piracy and takes your first born son (which is their going rate, I think.)

Click to expand...

Imagine this, I pull out the police report indicating the stolen property and I am clear and free. I also produce the part about the IP address being in Alaska while I'm in Texas. Again, honost people doing honost things have very little to worry about.

Click to expand...

Do people actually file police reports when they lose an Ipod to theft (assuming they didn't lose it by mistake)?

I guess the only relevant question then is, is this new or has Apple already been doing it with all ITMS music and people are just making a big deal now to take a shot at DRM-free music?

Click to expand...

That I don't know, hopefully someone else does. Personally, I'd prefer if my personal information wasn't in ANY music file, DRM or not. I don't really use iTunes (initially for the DRM, but more because I still would rather have the CD than pay the same amount from iTunes.)

Click to expand...

From what I read about it, all tracks downloaded via iTunes have always had identifying data in them, so this is nothing new.

Top Poster Of Month

If you think the RIAA will say "oh, ok, nevermind" then you're being naive. Go over to /. and read the discussions. There are several people countersuing the RIAA trying to recover legal fees due to long court battles after which the RIAA finally gave up the witch hunt.

Imagine this, I pull out the police report indicating the stolen property and I am clear and free. I also produce the part about the IP address being in Alaska while I'm in Texas. Under those circumstances I would be more than happy to go to court and kick their ass. Again, honost people doing honost things have very little to worry about.

Click to expand...

I suspect most people lose their IPods, rather than have them directly stolen from their possession, like in a mugging or robbery. How many of those people who lost their IPod do you think file a police report?

But even if they do have a police report, how much will it cost them in attorney fees to clear their names? More than one innocent person has had to sell their house or spend their life savings to pay for a lawyer after being wrongly accused. They may prove their innocence in the end, but at what cost? Keep in mind that in our system the loser does not pay. If you're proven innocent the government does not reimburse your attorney fees. Even in civil cases you may not receive attorney fees.

Something that disturbs me greatly is that a lot of people seem to becoming more accepting of the idea that the accused should be able or even be required to prove their innocence, rather than the accuser having to prove guilt. That is not how our system is intended to work, the burden of proof is supposed to be on the accuser, whether it's the district attorney or the RIAA.